ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014
Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working on a specific Nokia product. This presentation aims to give an insight, but does not attempt to reach detailed and full coverage valid for all Nokia products. 2 Nokia Solutions and Networks 2014 <Change information classification in footer>
Basic principles Confidentiality: no information disclosure to 3rd party Integrity: information / data / piece of code has not been manipulated or altered Authentication: ensuring that parties involved are those who they claim to be Availability: service / data is available when required Authorization: parties have the authority to perform the action Non-repudiation: when sending data / message, the party cannot claim later that it was not him who sent it 3 Nokia Solutions and Networks 2014
Dynamic testing 4 Nokia Solutions and Networks 2014
Threat and risk Threat analysis and risk analysis Organized as a workshop and documented People involved: software and test architects, lead testers and developers, product management We are looking for the answers for the following questions: What are the assets that we need to protect? Who are the potential attackers? What are the potential attack scenarios? What are the likelihood of these attacks? What is the impact? 5 Nokia Solutions and Networks 2014What can we do to reduce the likelihood or impact?
Threat and risk analysis Privacy assessment Privacy risk assessment Privacy sensitive data: anything that can be used to track and identify a certain individual can potentially be used for abusing privacy rights. Assess each piece of data generated / processed / stored 6 Nokia Solutions and Networks 2014
Threat and risk analysis Privacy assessment Feature documentation review Feature documentation review Check the design before implementation Check whether product meets customer security requirements 7 Nokia Solutions and Networks 2014
Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis 8 Nokia Solutions and Networks 2014 Code review, static analysis Check code created Check adherence to secure coding guidelines Should spot things like: Buffer overflow Goto fail Create your checklist e.g.: Correct cipher? Correct key size? Proper random number? Sensitive information revealed, logged or leaked? Any weak points?
Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis Vulnerability notification Vulnerability notification Follow up on new vulnerabilities found in 3rd party software, e.g. http://cve.mitre.org/ http://osvdb.org/ Security bulletins of vendors Mailing lists Apply security patches proactively 9 Nokia Solutions and Networks 2014
Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis Vulnerability notification Statement of security compliancy Statement of security compliancy Create a list of security base requirements that all products shall meet Measure the compliancy on each release The compliancy score should not decrease 10 Nokia Solutions and Networks 2014
Discovery test & Port scanning Threat To cross and check risk analysis target IP Privacy addresses assessment Feature To verify documentation in-host firewall review and running services on the SUT Code Should reviews, match static documentation analysis Vulnerability Tooling e.g.: notification Statement nmap (open of security source) compliancy Dynamic testing Discovery test & Port scanning 11 Nokia Solutions and Networks 2014
Vulnerability scanning Threat To verify and whether risk analysis vulnerability Privacy notification assessment and patching works Scan installed software for Feature documentation review known vulnerable versions Code Tooling reviews, e.g.: static analysis Vulnerability OpenVas notification (open source) Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning 12 Nokia Solutions and Networks 2014
Robustness testing (Fuzzing) Threat To stress and test risk the analysis external Privacy interfaces assessment with invalid traffic and Feature observe documentation any crashes review Tooling e.g.: Code Sulley reviews, (open static source), analysis Vulnerability Peach (community notificationedition) Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) 13 Nokia Solutions and Networks 2014
Web Static app testing / database testing To Threat test and the web risk analysis application for Privacy SQL assessment injection Cross Site Scripting (XSS) Feature documentation review Cross Site Request Forgery Code (CSRF) reviews, static analysis Vulnerability notification Tooling Statement e.g.: of security compliancy mitmproxy (opensource) Fiddler (free) w3af (open source) Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing 14 Nokia Solutions and Networks 2014
Penetration / exploratory testing Threat To work and like risk a hacker analysis and break Privacy into the assessment system Feature To try scenarios, documentation learn how review the system works, try different Code scenarios, reviews, repeat. static analysis Vulnerability Tooling e.g.: notification Statement Kali Linux of security (open source) compliancy Anything Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing Penetration / exploratory testing 15 Nokia Solutions and Networks 2014
Static DoS testing testing Threat To verify and behavior risk analysis under Privacy overload assessment situation Tooling e.g.: Feature documentation review Performance verification Code test reviews, tool static analysis Vulnerability notification Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing Penetration / exploratory testing DoS testing 16 Nokia Solutions and Networks 2014
Dynamic testing Threat and risk analysis Discovery test & Port scanning Security audit Privacy assessment Vulnerability scanning To verify from external point of view Feature documentation Conducted by review 3rd party Robustness testing (Fuzzing) Code reviews, static analysis Web app / database testing Vulnerability notification Penetration / exploratory testing Statement of security compliancy DoS testing Security audit 17 Nokia Solutions and Networks 2014
Threat and risk analysis Privacy assessment Feature documentation review Code reviews, static analysis Vulnerability notification Statement of security compliancy Dynamic testing Discovery test & Port scanning Vulnerability scanning Robustness testing (Fuzzing) Web app / database testing Penetration / exploratory testing DoS testing Security audit 18 Nokia Solutions and Networks 2014